Signal’s New Sealed Sender 2.0 Is the Most Important Privacy Update of the Year

Signal shipped Sealed Sender 2.0 last week, and the cryptography community has been quietly excited about it in the way cryptographers get excited about things: by posting detailed technical analyses to mailing lists that nobody else reads.

The update matters. Here is why, in plain language.

The original Sealed Sender, introduced in 2018, hid the sender’s identity from Signal’s servers when delivering messages — the server could see who was receiving a message but not who sent it. Sealed Sender 2.0 extends this to group messaging, which is where the original implementation had a meaningful gap: in groups, the server could correlate message timing and recipient lists in ways that, under sustained traffic analysis, could probabilistically identify senders even without accessing message content.

The new implementation uses a cryptographic technique called anonymous credentials, combined with rate-limiting tokens, to eliminate this correlation vector without requiring Signal to validate sender identity at delivery time. The practical result is that Signal now provides metadata protection for group messaging that was not achievable under the previous architecture.

This is not a theoretical improvement. Metadata — who is talking to whom, when, in what group — is often more operationally useful to adversaries than message content. For journalists, activists, and anyone communicating under conditions of adversarial surveillance, Sealed Sender 2.0 is a meaningful upgrade.